1 files changed, 219 insertions, 0 deletions

diff --git a/results/classifier/118/none/1892966 b/results/classifier/118/none/1892966
new file mode 100644
index 00000000..6c6b10a1
--- /dev/null
+++ b/results/classifier/118/none/1892966
@@ -0,0 +1,219 @@
+KVM: 0.740
+virtual: 0.729
+hypervisor: 0.729
+TCG: 0.723
+risc-v: 0.719
+ppc: 0.707
+vnc: 0.702
+graphic: 0.693
+x86: 0.691
+peripherals: 0.690
+user-level: 0.684
+mistranslation: 0.679
+VMM: 0.670
+i386: 0.647
+permissions: 0.627
+register: 0.620
+debug: 0.620
+performance: 0.619
+device: 0.594
+semantic: 0.576
+files: 0.546
+architecture: 0.544
+arm: 0.537
+PID: 0.523
+boot: 0.521
+network: 0.519
+kernel: 0.511
+assembly: 0.503
+socket: 0.479
+
+Null-pointer dereference in blk_bs through ide_cancel_dma_sync
+
+Hello,
+Reproducer:
+cat << EOF | ./qemu-system-i386 -M pc \
+-drive file=null-co://,if=none,format=raw,id=disk0 \
+-device ide-hd,drive=disk0,bus=ide.1,unit=1 \
+-display none -nodefaults -display none -qtest stdio -accel qtest
+outw 0x176 0x35b3
+outb 0x376 0x5f
+outb 0x376 0x40
+outl 0xcf8 0x80000904
+outl 0xcfc 0x5c0525b7
+outb 0x176 0x0
+outl 0xcf8 0x8000091e
+outl 0xcfc 0xd7580584
+write 0x187 0x1 0x34
+write 0x277 0x1 0x34
+write 0x44f 0x1 0x5c
+write 0x53f 0x1 0x5c
+write 0x717 0x1 0x34
+write 0x807 0x1 0x34
+write 0x9df 0x1 0x5c
+write 0xbb7 0x1 0x34
+write 0xca7 0x1 0x34
+write 0xe7f 0x1 0x5c
+write 0xf6f 0x1 0x5c
+outb 0xd758 0x5f
+outb 0xd758 0x40
+EOF
+
+
+Trace:
+[S +0.083320] OK
+[R +0.083328] outb 0xd758 0x5f
+OK
+[S +0.084167] OK
+[R +0.084183] outb 0xd758 0x40
+../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend')
+SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in 
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
+==843136==The signal is caused by a READ memory access.
+==843136==Hint: address points to the zero page.
+    #0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
+    #1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
+    #2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
+    #3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
+    #4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
+    #5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
+    #6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
+    #7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
+    #8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
+    #9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
+    #10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
+    #11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
+    #12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
+    #13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
+    #14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
+    #15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
+    #16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
+    #17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
+    #18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
+    #19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
+    #20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
+    #21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
+    #22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
+    #23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
+    #24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
+    #25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
+    #26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs
+==843136==ABORTING
+
+-Alex
+
+This problem does not trigger anymore for me with the current version of QEMU. Could you please check whether you can still reproduce it somehow with the latest version?
+
+Probably fixed.. Appears there was some attempt, but I'm not sure if it
+ever got merged:
+https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html
+
+OSS-Fuzz never saw it, so it was probably fixed sometime before November.
+-Alex
+
+On 210527 1434, Thomas Huth wrote:
+> This problem does not trigger anymore for me with the current version of
+> QEMU. Could you please check whether you can still reproduce it somehow
+> with the latest version?
+> 
+> ** Changed in: qemu
+>        Status: New => Incomplete
+> 
+> -- 
+> You received this bug notification because you are subscribed to the bug
+> report.
+> https://bugs.launchpad.net/bugs/1892966
+> 
+> Title:
+>   Null-pointer dereference in blk_bs through ide_cancel_dma_sync
+> 
+> Status in QEMU:
+>   Incomplete
+> 
+> Bug description:
+>   Hello,
+>   Reproducer:
+>   cat << EOF | ./qemu-system-i386 -M pc \
+>   -drive file=null-co://,if=none,format=raw,id=disk0 \
+>   -device ide-hd,drive=disk0,bus=ide.1,unit=1 \
+>   -display none -nodefaults -display none -qtest stdio -accel qtest
+>   outw 0x176 0x35b3
+>   outb 0x376 0x5f
+>   outb 0x376 0x40
+>   outl 0xcf8 0x80000904
+>   outl 0xcfc 0x5c0525b7
+>   outb 0x176 0x0
+>   outl 0xcf8 0x8000091e
+>   outl 0xcfc 0xd7580584
+>   write 0x187 0x1 0x34
+>   write 0x277 0x1 0x34
+>   write 0x44f 0x1 0x5c
+>   write 0x53f 0x1 0x5c
+>   write 0x717 0x1 0x34
+>   write 0x807 0x1 0x34
+>   write 0x9df 0x1 0x5c
+>   write 0xbb7 0x1 0x34
+>   write 0xca7 0x1 0x34
+>   write 0xe7f 0x1 0x5c
+>   write 0xf6f 0x1 0x5c
+>   outb 0xd758 0x5f
+>   outb 0xd758 0x40
+>   EOF
+> 
+>   
+>   Trace:
+>   [S +0.083320] OK
+>   [R +0.083328] outb 0xd758 0x5f
+>   OK
+>   [S +0.084167] OK
+>   [R +0.084183] outb 0xd758 0x40
+>   ../block/block-backend.c:714:17: runtime error: member access within null pointer of type 'BlockBackend' (aka 'struct BlockBackend')
+>   SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../block/block-backend.c:714:17 in 
+>   AddressSanitizer:DEADLYSIGNAL
+>   =================================================================
+>   ==843136==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x5593520d8ebc bp 0x7ffc0bb9e0b0 sp 0x7ffc0bb9e010 T0)
+>   ==843136==The signal is caused by a READ memory access.
+>   ==843136==Hint: address points to the zero page.
+>       #0 0x5593520d8ebc in blk_bs /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12
+>       #1 0x5593520d2d07 in blk_drain /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:1715:28
+>       #2 0x55935096e9dc in ide_cancel_dma_sync /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/core.c:723:9
+>       #3 0x55934f96b9ed in bmdma_cmd_writeb /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/pci.c:298:13
+>       #4 0x55934fea0547 in bmdma_write /home/alxndr/Development/qemu/general-fuzz/build/../hw/ide/piix.c:75:9
+>       #5 0x55935175dde0 in memory_region_write_accessor /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:483:5
+>       #6 0x55935175d2bd in access_with_adjusted_size /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:544:18
+>       #7 0x55935175af70 in memory_region_dispatch_write /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/memory.c:1466:16
+>       #8 0x5593513b98a6 in flatview_write_continue /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3176:23
+>       #9 0x5593513a2878 in flatview_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3216:14
+>       #10 0x5593513a23a8 in address_space_write /home/alxndr/Development/qemu/general-fuzz/build/../exec.c:3308:18
+>       #11 0x559351803e07 in cpu_outb /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/ioport.c:60:5
+>       #12 0x5593516c7b6d in qtest_process_command /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:392:13
+>       #13 0x5593516c363e in qtest_process_inbuf /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:710:9
+>       #14 0x5593516c23e3 in qtest_read /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/qtest.c:722:5
+>       #15 0x5593527c8762 in qemu_chr_be_write_impl /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:188:9
+>       #16 0x5593527c88aa in qemu_chr_be_write /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char.c:200:9
+>       #17 0x5593527ee514 in fd_chr_read /home/alxndr/Development/qemu/general-fuzz/build/../chardev/char-fd.c:68:9
+>       #18 0x5593526da736 in qio_channel_fd_source_dispatch /home/alxndr/Development/qemu/general-fuzz/build/../io/channel-watch.c:84:12
+>       #19 0x7f3be18ef4cd in g_main_context_dispatch (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x504cd)
+>       #20 0x559352c65c67 in glib_pollfds_poll /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:217:9
+>       #21 0x559352c63567 in os_host_main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:240:5
+>       #22 0x559352c62f47 in main_loop_wait /home/alxndr/Development/qemu/general-fuzz/build/../util/main-loop.c:516:11
+>       #23 0x55935144108d in qemu_main_loop /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/vl.c:1676:9
+>       #24 0x55934edd351c in main /home/alxndr/Development/qemu/general-fuzz/build/../softmmu/main.c:50:5
+>       #25 0x7f3be10f8cc9 in __libc_start_main csu/../csu/libc-start.c:308:16
+>       #26 0x55934ed28cf9 in _start (/home/alxndr/Development/qemu/general-fuzz/build/qemu-system-i386+0x2cb0cf9)
+> 
+>   AddressSanitizer can not provide additional info.
+>   SUMMARY: AddressSanitizer: SEGV /home/alxndr/Development/qemu/general-fuzz/build/../block/block-backend.c:714:12 in blk_bs
+>   ==843136==ABORTING
+> 
+>   -Alex
+> 
+> To manage notifications about this bug go to:
+> https://bugs.launchpad.net/qemu/+bug/1892966/+subscriptions
+
+